User Guide Cancel

Enhance Adobe Connect account security

 

Adobe Connect administrators can turn on and enforce secure HTTPS connections to boost the security of their servers.

Adobe Connect administrators can enhance the security of their account from the Administration tab.

  1. Click Administration > Account > More Settings.

  2. Select Requires SSL Connection (RTMPS), so Adobe Connect enforces the use of RTMPS protocol.

  3. Select Enable Enhanced Security, to force Web Services APIs to use secure (HTTPS) connection and generate new session identifier after successful login.

    Note: Adobe recommends checking Enhanced Security option.

Cross-Site Request Forgery (CSRF) protection

Adobe Connect enables end users or admins to enforce CSRF protection for state-changing XML API calls. 

We recommend that you enable CSRF protection for XML APIs, as it is the most secure configuration.

To enable CSRF protection, follow the steps below:

  1. On the Adobe Connect central page, click Administration > Account > More Settings.

  2. In the section CSRF Settings, check the option Enable CSRF Protection for XML API.

    Note: If Adobe Connect 11.4 was installed as a patch over a previous version, the option will be unchecked by default.

  3. CSRF protection relies on the client to send a secure session-specific CSRF cookie and a matching request parameter. All state-changing API calls are protected, for example:

    • acl-create
    • acl-field-update
    • acl-multi-field-update
    • permissions-update
    • sco-update
    • sco-upload
  4. Follow the steps below:

    1. After you authenticate, the following cookies are generated:

    • BREEZESESSION as the main Connect session cookie
    • BreezeCCookie as the CSRF cookie, based on the Connect session cookie

    2. Call the common-info API to get the CSRF token corresponding to the CSRF cookie (BreezeCCookie).

    • the CSRF token is returned as <OWASP_CSRFTOKEN><token>...........</token></OWASP_CSRFTOKEN>

    3. Send all subsequent HTTP GET API calls that change state with the BreezeCCookie as a cookie and a OWASP_CSRFTOKEN. For example:

         https://\[SERVER_URL\]/api/xml?action=\[state changing action\]&........&OWASP_CSRFTOKEN=[token_extracted_above]

    4. For integrations that call single or multiple XML APIs via a single HTTP POST method, send the OWASP_CSRFTOKEN (along with the BreezeCCookie CSRF cookie), as shown below:

        <actions mode='...' OWASP_CSRFTOKEN=[token_extracted_above]>

  5. Enable the option Exempt CSRF Protection for XML API calls to the following path.

    When you check this option, a server-generated secure URL appears. This URL allows accounts ith XML API integrations to continue making their XML API calls against a secure and unique server-generated URL path.

Get help faster and easier

New user?